Amid the growing dominance of automated cyber crime tools like ransomware, it’s important to remember the dangers of traditional hacking methods such as MITM (man-in-the-middle) attacks.
Let’s take a look at how MITM attacks work and how you can guard against them.
What is a man-in-the-middle attack?
Picture someone on their computer. When they visit a website, their device sends the instruction through an Internet router, which is then directed to the website’s server. The server provides the information and sends it back through the router to the person’s computer.
The process happens so quickly these days that many of us don’t acknowledge how complex it is, and that’s what allows MITM attackers to strike.
They position themselves between the victim’s computer and server, enabling them to eavesdrop on what’s being shared, and in some cases modify it.
How does a man-in-the-middle attack work?
Attacks are most likely to occur on public Wi-Fi, because it tends to be less secure than private Internet connections.
That’s not so much a security weakness as it is part of its design. Public Wi-Fi is intended for anyone in the vicinity to use, so naturally it will be less secure than your home or office network, which contains protections that ensure only authorised people can connect.
But how do criminals get in the middle? The first step is to compromise the Internet router, which they can do with tools that scan for unpatched flaws or other vulnerabilities.
Next, they intercept and decrypt the victim’s transmitted data using a variety of techniques, which we discuss below.
MITM attackers generally do this to steal login credentials for email and website accounts, which they can use to launch targeted attacks like phishing emails. But if the attacker is lucky, the victim will unwittingly visit their online bank portal and hand over their account information.
Types of attack
MITM attacks can take many forms, but these are some of the most common:
- IP spoofing
Every device that connects to the Internet does so through an IP (Internet Protocol) address, which is a number assigned to your device based on your physical location.
By spoofing an IP address, criminal hackers can trick you into believing you’re interacting with the website or person you tried to reach.
- Email hijacking
Cyber criminals often target emails between banks and customers with the intention of spoofing the bank’s email address and sending their own instructions. This is a ruse to get the victim to provide their login credentials and payment card details.
- HTTPS spoofing
A general rule of thumb for knowing if a website is genuine is if it has a green lock symbol next to it and begins with ‘https://’ instead of simply ‘http://’.
The extra ‘s’ stands for ‘secure’, indicating that the connection between you and the server has been encrypted and therefore can’t be hijacked.
Unfortunately, attackers have developed a way around this. They create their own website that looks identical to the one you’re trying to reach but with a slightly different URL. A lowercase ‘l’ might become an uppercase ‘I’, for example, or they’ll use letters from the Cyrillic alphabet.
When victims try to reach the legitimate site, the attacker will redirect them to their own site, where they can siphon off information.
- Wi-Fi eavesdropping
Instead of exploiting a vulnerability in an existing Wi-Fi connection, attackers might set up their own Internet hotspot and give it an inconspicuous name.
All they have to do is wait for a victim to connect, at which point they can eavesdrop on their Internet activity.
A basic method cyber criminals use is sniffing, in which they deploy tools that inspect packets – units of data that are transferred over a network. These can be used to intercept unencrypted information, such as passwords and usernames.
Attackers might also perform packet injection, in which malicious packets are inserted into data communication streams to disrupt victims’ ability to use certain network services or protocols.
A similar version of this attack is known as session hijacking (or cookie hijacking), in which the criminal sniffs sensitive traffic to identify the victim’s session token.
With that information, the attacker uses source-routed IP packets to intercept data as it’s being transferred from the victim’s computer to the server and make requests as though they were the user.
Finally, cyber criminals attempting to intercept traffic from an HTTPS website might conduct an SSL stripping attack. This involves intercepting packets and altering their address to direct the victim to the less secure HTTP equivalent.
HTTP pages don’t encrypt information as it’s being shared, meaning the attacker can sniff information and perform packet injection.
How to prevent man-in-the-middle attacks
The dangers of MITM attacks might make you reluctant to use public Wi-Fi. That’s not the worst advice in the world – at least if you intend on doing anything that could expose sensitive information, such as logging in to your work email account or online bank account.
That’s not to say you can’t access that information on the go. Mobile data is an ideal option for sensitive web browsing, as it’s much less susceptible to cyber crime.
But if that’s not an option, there are steps you can take to protect yourself while using public Wi-Fi, such as:
- Using a VPN
There are many cyber security benefits of using a VPN (virtual private network), such as the fact that it masks your IP address by bouncing it through a private server.
VPNs also encrypt the data as it’s being transmitted over the Internet. This doesn’t make you impenetrable to MITM attacks, but it makes life much harder for crooks and will likely cause them to look for an easier target.
- Only visiting HTTPS websites
As with VPNs, HTTPS websites encrypt data and prevent attackers from intercepting communications.
It’s possible for criminals to circumvent these protections with HTTPS spoofing or SSL stripping, but you can thwart their attempts with a little legwork.
For example, you can avoid HTTPS spoofing by manually typing the web address instead of relying on links.
Likewise, you can detect SSL stripping by checking that the web address indeed begins with ‘https://’ or has a lock symbol indicating that it’s secure.
The MITM attacker can redirect you from a secure site to an insecure one, but it will be clear that this has happened if you check the address bar.
- Watching out for phishing scams
Phishing emails are used in a variety of scams that involve siphoning off personal data, and MITM attacks are no exception.
Attackers often intend to use the details they intercept to craft tailored phishing emails.
When done right – such as a phony invoice or a bogus email from your bank asking you to log in to your account – these scams can be much more lucrative than simply gathering sensitive information and selling it on the dark web.
MITM attackers’ use of phishing is, perhaps contrary to what you might think, good news, because it means that even if you’re unable to prevent an attacker from capturing your web traffic, you can mitigate the damage as long as you can tell when you’ve received a scam email.
So how can you do that? Your best option is to study the tricks cyber criminals use and what their scams look like.
Our Certified Cyber Security Foundation Distance Learning Training Course shows you these and more.
Designed by experts and delivered by professionals, this course is ideal for those who want a comprehensive overview of the cyber threat landscape. It covers topics such as:
- Password security;
- Mobile device security;
- Social media threats; and
- The risks involved in remote working.